malwarewikiaorg-20200223-history
Beda
Virus.DOS.Beda is a memory resident parasitic virus on DOS, and some variants have the self-encrypting ability. There are 16 variants in 6 versions, represented by the following: *Virus.DOS.Beda.332 *Virus.DOS.Beda.337 *Virus.DOS.Beda.609 *Virus.DOS.Beda.883 *Virus.DOS.Beda.1530 *Virus.DOS.Beda.3233 Behavior When the virus is loaded into memory, it hooks INT 21h and writes itself to the end of files that are run or closed. When an infected file is opened, the virus disinfects it temporarily, but it would be infected again on closing. The virus uses BEDAh hexadecimal value as the virus' identification for infected files, and on detection of the virus TSR copy which has been loaded. During infection the virus might corrupt the file to be infected, making the system to crash when the file is executed. The infection size varies in different files. Beda.332 This variant is believed to be the very first version of the Beda family. It infects DOS executable files only, but it contains bugs that not every file that are executed will be infected. This virus does not check whether a file has already infected so it would reinfect when the file is run again, thus to grow the size of the file. The timestamp of the infected files will be changed to the time of infection. Beda.337, 403, 419, 420, 552, 883, 1196 and 1301 Unlike Beda.332, they infect every DOS executable that is run, and they do not reinfect files. For Beda.337, 403, 419 and 420, the timestamp of the infected files will be changed to the time of infection. While that for the rest, it will be malformed by changing the date to random values and 23:54:52 for the time. Beda.609 This is the only variant that infects EXE executable files only, and the timestamp will be changed to the time of infection. Additionally, this variant contains bugs that might crash the system due to attempting to access an invalid part of memory during execution. Beda.1314, 1530, 1724 and 1857 These variants infect every executable file that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time. Beda.3233 and 3291 These are encrypted variants. They infect every DOS executable file that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time. For EXE format, not every file would be infected by these variants. Advanced details The TSR memory usage of the variants are shown below: MD5 hashes: Payload Beda.332, 337, 420 and 609 These variants do not manifest themselves at any way. Beda.403 When a file infected by this variant is run, the virus appends 4 extra blank lines and a message: WOODPECKER WARNING ! And then it thickens the cursor to insert mode style. Beda.419 and 552 These variants play a cord from the PC speaker when an infected file is run. Beda.883, 1196 and 1301 These variants manifest themselves with a video effect, they draw 3 moving color bars (red, green and blue) on screen, it can be cleared and would return to DOS upon a keypress. This is the only version that would produce the video effect. Beda.1314 This variant is a pre-release of the file deleting version (Beda.1530 and so on) and it does not manifest itself at anyway. Beda.1530, 1724, 1857, 3233 and 3291 These variants are relatively dangerous. They detect every file whether the filename begins with any of the following text strings in attempt to delete anti-virus programs: -V AIDSTEST A-DINF WEB When such program is run, the virus outputs a message: Bad Command or file name And then it deletes the file which is same as that of Jerusalem. They also hook INT 9, and depending on their internal counters they change the keys that are entered: n -> y N -> Y Except Beda.1530, when an infected program is run in November or December, the virus resets the computer. If COMMAND.COM has been infected, the computer would keep on resetting in an infinite loop in these months. Beda.3233 and 3291 contain another payload but the method of activation is currently unknown. Variants This family has 16 variants in total: *Virus.DOS.Beda.332 *Virus.DOS.Beda.337 *Virus.DOS.Beda.403 *Virus.DOS.Beda.419 *Virus.DOS.Beda.420 *Virus.DOS.Beda.552 *Virus.DOS.Beda.609 *Virus.DOS.Beda.883 *Virus.DOS.Beda.1196 *Virus.DOS.Beda.1301 *Virus.DOS.Beda.1314 *Virus.DOS.Beda.1530 *Virus.DOS.Beda.1724 *Virus.DOS.Beda.1857 *Virus.DOS.Beda.3233 *Virus.DOS.Beda.3291 Other details A noticeable delay can be observed when a file infected by Beda.1301, 1196, 1314, 1530 or 1857 is run. Beda.403 contains the internal text string: WOODPECKER WARNING ! Beda.1724 contains the internal text string: 07/28/98 Beda.1857 contains the internal text string: 05/05/91 Beda.3233 contains the encrypted internal text strings: Mister Danilov why you add in my family viruses BEDA-338 and BEDA-352 ? 07/28/98 Beda.3291 contains the encrypted internal text strings: Mister Danilov why you add in my family viruses BEDA-338 and BEDA-352 ? 02/06/96 References #Beda virus description on Online VSUM #List of variants of the Beda virus on VX Heaven Media zh:Beda Category:DOS Category:DOS virus Category:Virus Category:TSR Category:Assembly Category:DOS trojan